You’re attempting to install the latest cumulative update onto your Exchange 2016 server (Microsoft Exchange Server 2016 Cumulative Update 3 in this example) but notice that the process fails at:
Step 4 of 11: Mailbox role: Transport service
… with the following error message:
The following error was generated when "$error.Clear();
Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController
if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
Install-AuthCertificate -DomainController $RoleDomainController
" was run: "System.Security.Cryptography.CryptographicException: The certificate is expired.
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
The installation does not proceed and you are forced to close the installer. Attempting to run the installer again will restart the process but fail with the same error message.
One of the reasons why this error would be thrown is if you have an expired certificate still binded in IIS as shown in the following screenshot where one of the two https directories have the updated certificate but the other one does not:
To correct the issue, simply update the binding or bindings with a non-expired certificate and rerun the installation. Note that it is ok to have the expired certificate in the local store of the server but it should not be binded.